b"                                             Office of Inspector General\n                                            Corporation for National and\n                                                     Community Service\n\n\n\n\n           FEDERAL INFORMATION SYSTEM\n MANAGEMENT ACT (FISMA) REVIEW FOR FY 2011\nCORPORATION FOR NATIONAL AND COMMUNITY SERVICE\n\n\n\n\n                  FINAL\n\n\n           NOVEMBER 10, 2011\n\n\n\n\n                Prepared by:\n\n     Richard S. Carson & Associates, Inc.\n      4720 Montgomery Lane, Suite 800\n         Bethesda, Maryland 20814\n\x0cFinal                                                                                            Independent Evaluation Report\n                                                       Corporation for National and Community Service FISMA Review for FY 2011\n\n\n                                                     TABLE OF CONTENTS\n\n\nExecutive Summary .................................................................................................................... ii\n    Results in Brief ......................................................................................................................... ii\nAbbreviations And Acronyms .................................................................................................. iv\nReferenced Documents .............................................................................................................. v\nGeneral Overview ........................................................................................................................ 1\nIndependent Evaluation ............................................................................................................. 1\nSecurity Program Evaluation ..................................................................................................... 2\n        CONCLUSIONS ....................................................................................................................... 2\nEvaluation of Agency Oversight of Contractor ........................................................................ 3\n        CONCLUSIONS ....................................................................................................................... 3\nEvaluation of Agency Plan of Action and Milestones (POA&M) Process.............................. 3\n        CONCLUSIONS ....................................................................................................................... 3\nState Field Office Assessments ................................................................................................ 4\n        CONCLUSIONS ...................................................................................................................... 4\n        RECOMMENDATIONS .............................................................................................................. 4\nAppendix A \xe2\x80\x93 Detailed Findings and Recommendation.......................................................... 5\nAppendix B \xe2\x80\x93 Corporation Management Response ................................................................ 7\n\n\n\n\n                                                                        i                                               November 10, 2011\n\x0cFinal                                                                           Independent Evaluation Report\n                                      Corporation for National and Community Service FISMA Review for FY 2011\n\n\n\n\nEXECUTIVE SUMMARY\n\nThe Office of Inspector General (OIG), Corporation for National and Community Service\n(Corporation) contracted with Richard S. Carson & Associates, Inc. (Carson) to perform a Fiscal\nYear (FY) 2011 independent Federal Information Security Management Act (FISMA) evaluation\nof the Corporation\xe2\x80\x99s information technology systems, controls, and policies. The objectives of\nthe evaluation were to:\n\n    \xef\x82\xb7   Determine the efficiency and effectiveness of the Corporation\xe2\x80\x99s information security\n        policies, procedures, and practices\n    \xef\x82\xb7   Review network/system security of a representative subset of the Corporation\xe2\x80\x99s systems\n    \xef\x82\xb7   Assess the Corporation\xe2\x80\x99s compliance with FISMA and related information security\n        policies, procedures, standards, and guidelines\n    \xef\x82\xb7   Assess the Corporation\xe2\x80\x99s progress in correcting weaknesses identified in prior-year\n        FISMA evaluations\n    \xef\x82\xb7   Evaluate personally identifiable information (PII) protection and physical controls at field\n        office sites\n\nRESULTS IN BRIEF\n\nThe Corporation has taken significant steps to enhance its information security program and\naddress issues identified in the FY 2010 FISMA report, including the following:\n\n    \xef\x82\xb7   The Certification and Accreditation (C&A) process has been re-worked to ensure full\n        compliance with the National Institute of Standards and Technology (NIST) guidance,\n        provide better documentation, and increase assurance that controls have been\n        adequately assessed. Specific improvements include:\n\n        o   Continued development of policies and procedures;\n        o   Continued oversight of the technology contractor SRA International, Inc. (SRA) and\n            other contracted services;\n        o   Scanning to include field office site networks and Corporation headquarters\n            systems;\n        o   Continued training in proper protection and handling of PII information for field office\n            staff; and\n        o   Documentation of processes and controls\n\nWe have made five recommendations in areas needing improvement to further enhance\ncompliance with the Corporation\xe2\x80\x99s information security program. The recommendations are\nsummarized on page 5 of this report.\n\n\n\n\n                                                  ii                                     November 10, 2011\n\x0cFinal                                                                          Independent Evaluation Report\n                                     Corporation for National and Community Service FISMA Review for FY 2011\n\n\nCorporation Response\n\nCarson will review the Corporation\xe2\x80\x99s response to the Notification of Findings and\nRecommendations, which will be included as Attachment B.\n\nBACKGROUND\n\nOn December 17, 2002, President George W. Bush signed into law the E-Government Act of\n2002 (Public Law 107-347), which includes Title III, the Federal Information Security\nManagement Act (FISMA) of 2002. FISMA permanently reauthorized the framework laid out in\nthe Government Information Security Reform Act (GISRA) of 2000, which expired in November\n2002.\n\nFISMA outlines the information security management requirements for agencies, including the\nrequirement for annual review and independent assessment by agency inspectors general. In\naddition, FISMA includes new provisions aimed at further strengthening the security of the\nFederal Government\xe2\x80\x99s information and information systems, such as the development of\nminimum standards for agency systems. The annual assessments provide agencies with the\ninformation needed to determine the effectiveness of overall security programs and to develop\nstrategies and best practices for improving information security.\n\nFISMA requires all Federal agencies to implement and maintain information security policies,\nprocedures, and control techniques to ensure that information is protected commensurate with\nthe risk and magnitude of the harm that would result from the loss, misuse, unauthorized\naccess, or modification of such information.\n\n\n\n\n                                                 iii                                    November 10, 2011\n\x0cFinal                                                                      Independent Evaluation Report\n                                 Corporation for National and Community Service FISMA Review for FY 2011\n\n\nABBREVIATIONS AND ACRONYMS\n\nC&A               Certification and Accreditation\nCCB               Change Configuration Board\nCIO               Chief Information Officer\nCISO              Chief Information Security Officer\nCM                Configuration Management\nCOOP              Continuity of Operations Plan\nCP                Contingency Plan\n\n\nE-SPAN            Electronic-System for Programs, Agreements, and National Service\n\nFIPS              Federal Information Processing Standards\nFISMA       Federal Information Security Management Act\n\nFY                Fiscal Year\n\nGSS               General Support System\n\nIG                Inspector General\nISSO              Information System Security Officer\nIT                Information Technology\n\nLAN               Local Area Network\n\n\nNIST              National Institute of Standards and Technology\n\nOIG               Office of Inspector General\nOIT               Office of Information Technology\nOMB               Office of Management and Budget\n\nPII               Personally Identifiable Information\nPIA               Privacy Impact Assessment\nPOA&M             Plan of Action and Milestones\n\nRA                Risk Assessment\n\nSDLC              System Development Life Cycle\nSETA              Security Education, Training, and Awareness\nSP                Special Publication\nSSP               System Security Plan\n\nUS-CERT           United States Computer Emergency Readiness Team\n\n\n\n\n                                             iv                                     November 10, 2011\n\x0cFinal                                                                         Independent Evaluation Report\n                                    Corporation for National and Community Service FISMA Review for FY 2011\n\n\nREFERENCED DOCUMENTS\n\nFederal Information Security Management Act of 2002 (FISMA) (Title III, Pub. L. No. 107-347)\n\nOffice of Management and Budget (OMB)\nCircular A-130, Appendix III, Security of Federal Automated Information Resources\nMemorandum 07-19, FY 2007 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management\nMemorandum 07-16, Safeguarding Against and Responding to the Breach of Personally\nIdentifiable Information\nMemorandum 06-15, Safeguarding Personally Identifiable Information\nMemorandum 03-22, OMB Guidance for Implementing the Privacy Provisions of the E-\nGovernment Act of 2002\n\nNIST Federal Information Processing Standards (FIPS)\nFIPS 200, Minimum Security Requirements for Federal Information and Information Systems\nFIPS 199, Standards for Security Categorization of Federal Information and Information\nSystems\n\nNIST Special Publications (SP)\n800-18, Revision 1, Guide for Developing Security Plans for Information Technology Systems\n800-30, Risk Management Guide for Information Technology Systems\n800-34, Revision 1, Contingency Planning Guide for Information Technology Systems\n800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information\nSystems: A Security Life Cycle Approach\n800-53, Revision 3, Recommended Security Controls for Federal Information Systems\n800-53A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems\n800-60, Revision 1, Guide for Mapping Types of Information and Information Systems to\nSecurity Categories: (2 Volumes) - Volume 1: Guide Volume 2: Appendices\n800-83, Guide to Malware Incident Prevention and Handling\n800-100, Information Security Handbook: A Guide for Managers\n\n\n\n\n                                                v                                      November 10, 2011\n\x0cFINAL                                                                          Independent Evaluation Report\n                                     Corporation for National and Community Service FISMA Review for FY 2011\n\n\n\nGENERAL OVERVIEW\n\nFISMA section 3542(b)(1)(A),(B),(C) defines information security as \xe2\x80\x9c\xe2\x80\xa6 protecting information\nand information systems from unauthorized access, use, disclosure, disruption, modification, or\ndestruction in order to provide (A) integrity\xe2\x80\x94guarding against improper information modification\nor destruction, and ensuring information non-repudiation and authenticity; (B) confidentiality\xe2\x80\x94\npreserving authorized restrictions on access and disclosure, including means for protecting\npersonal privacy and proprietary information; and (C) availability\xe2\x80\x94ensuring timely and reliable\naccess to and use of information.\xe2\x80\x9d\n\nINDEPENDENT EVALUATION\n\nField work for this independent evaluation was conducted from June through October 2011 and\ncovered the following Corporation systems: the Corporation network (Network GSS); Electronic\nSystem for Programs, Agreements and National Service (E-SPAN), and the HP-Helpdesk. Our\nevaluation methodology is compliant with the Council of Inspectors General on Integrity and\nEfficiency (CIGIE), \xe2\x80\x9cQuality Standards for Inspections and Evaluations,\xe2\x80\x9d and consists of\ninquiries, observations, and inspection of Corporation documents and records, as well as direct\ntesting of controls in order to conclude the evaluation.\n\nThis section provides the conclusions of our research, analysis, and assessment of the\nCorporation\xe2\x80\x99s information security program, policies, and practices. Compliance with security\npolicy, standards, and guidance prescribed by the Office of Management and Budget (OMB),\nthe National Institute for Standards and Technology (NIST), and related authoritative policies,\nprocedures, standards, and guidelines (criteria), where applicable, are cited when describing a\nspecific condition.\n\nThe Corporation has taken significant steps to enhance its information security program and\naddress issues identified in prior FISMA evaluations. It has outsourced its technology activities\nwith regard to Network core services, as well as the Exchange services, Blackberry Enterprise\nservices, and \xe2\x80\x9cshared\xe2\x80\x9d drive services to SRA International, Inc. The Corporation and SRA are in\nthe process of addressing procedures in the following areas:\n\n   \xef\x82\xb7    System security plan\n   \xef\x82\xb7    POA&M execution and continuous monitoring\n   \xef\x82\xb7    Policy and procedures\n\n\n\n\n                                                 1                                      November 10, 2011\n\x0cFINAL                                                                          Independent Evaluation Report\n                                     Corporation for National and Community Service FISMA Review for FY 2011\n\n\n\nSECURITY PROGRAM EVALUATION\n\nFISMA requires the development, documentation, and implementation of an agency-wide\ninformation security program to provide information security for the information and information\nsystems that support the operations and assets of the agency, including those provided by or\nmanaged by another agency, contractor, or other sources. NIST Special Publication (SP) 800-\n100, \xe2\x80\x9cInformation Security Handbook: A Guide for Managers,\xe2\x80\x9d identifies information security\nprogram elements that are expected to be incorporated into information security programs\nacross the Federal sector.\n\nCONCLUSIONS\n\nThe Corporation has documented an Information Security Program Plan that adequately\naddresses security program elements recommended by NIST guidance, including:\n\n   \xef\x82\xb7    Formal information security governance structure\n   \xef\x82\xb7    Integrating security into the System Development Life Cycle (SDLC)\n        o Periodic assessments of risk\n        o Policies and procedures that are based on these risk assessments\n   \xef\x82\xb7    Security awareness training\n   \xef\x82\xb7    Plans for providing adequate information security for networks, facilities, information\n        systems, or groups of information systems, as appropriate\n   \xef\x82\xb7    Periodic testing and evaluation of the effectiveness of information security policies,\n        procedures, practices, and security controls\n        o A process for planning, implementing, evaluating, and documenting remedial actions\n            to address any deficiencies in the information security policies, procedures, and\n            practices of the organization\n        o Configuration management processes to manage the effects of changes or\n            differences in configurations on an information system or network\n   \xef\x82\xb7    Procedures for detecting, reporting, and responding to security incidents\n   \xef\x82\xb7    Plans and procedures for continuity of operations for information systems that support\n        the operations and assets of the organization\n\n\n\n\n                                                 2                                      November 10, 2011\n\x0cFINAL                                                                           Independent Evaluation Report\n                                      Corporation for National and Community Service FISMA Review for FY 2011\n\n\n\nEVALUATION OF AGENCY OVERSIGHT OF CONTRACTOR\n\nFISMA requires that Federal agencies perform oversight and evaluations to ensure information\nsystems used or operated by a contractor, or other organization on behalf of the agency, meet\nthe requirements of FISMA, OMB policy, NIST guidelines, and Corporation policy. FISMA\nSection 3544(a) (1) (A) (ii) describes Federal agency security responsibilities as including\n\xe2\x80\x9cinformation systems used or operated by an agency or by a contractor of an agency or other\norganization on behalf of an agency.\xe2\x80\x9d Section 3544(b) requires that each agency provide\ninformation security for the information and \xe2\x80\x9cinformation systems that support the operations\nand assets of the agency, including those provided or managed by another agency, contractor,\nor other source.\xe2\x80\x9d\n\nOMB Memorandum 07-19, FY 2007 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management states: \xe2\x80\x9cAgencies are responsible for\nensuring the security of information systems used by a contractor of their agency or other\norganization on behalf of their agency. Agencies and service providers have a shared\nresponsibility for FISMA compliance.\xe2\x80\x9d\n\nThe Corporation in FY 2009 began an effort to outsource the hosting and maintenance of\ninformation assets associated with its Network core services, Exchange services, Blackberry\nEnterprise services, and \xe2\x80\x9cShared\xe2\x80\x9d drive services. It completed the outsourcing and equipment\nmigration effort in early FY 2010 to SRA International, Inc.\n\nCONCLUSIONS\n\nThe Corporation maintains oversight of SRA through weekly meetings with SRA\xe2\x80\x99s Information\nSystem Security Officer (ISSO) in which all tasks conducted are reviewed and planned. The\nCorporation\xe2\x80\x99s Chief Information Security Officer (CISO) and SRA\xe2\x80\x99s ISSO meet weekly for\nservice updates and also use the Change Control Board (CCB) to monitor the progress of the\nvendor. A Weekly Transition and Operations meeting is conducted with the COTR, the ISSO,\nCorporation personnel, and other SRA personnel. The Corporation has documented contract\nrequirements that include continuous monitoring language.\n\n\nEVALUATION OF AGENCY PLAN OF ACTION AND MILESTONES (POA&M) PROCESS\n\nOMB guidance on FISMA implementation requires agencies to identify and report on significant\ndeficiencies in their information security program. A significant deficiency is a weakness in the\nagency\xe2\x80\x99s overall information system security program or management control structure, or\nwithin one or more information systems, that significantly restricts the capability of agency to\ncarry out its mission or compromises the security of its information, information systems,\npersonnel, or other resources, operations, or assets.\n\nCONCLUSIONS\n\nThe Corporation\xe2\x80\x99s Information Security Policy requires that POA&Ms be maintained for the\nsecurity program and for each major system. It also requires that any official reports providing\nspecific information on weaknesses or vulnerabilities resulting from OIG audits, reviews, or\nscanning activity related to such work as risk assessments, certification testing, or penetration\ntesting be documented and tracked as part of the specific system POA&M documentation.\n\n\n\n                                                  3                                      November 10, 2011\n\x0cFINAL                                                                           Independent Evaluation Report\n                                      Corporation for National and Community Service FISMA Review for FY 2011\n\n\n\n\nPOA&Ms for the E-Span and the network systems have been documented and are being\naddressed. Most of the POA&M milestone and completion dates are based on the completion\nof the outsourcing and data center migration in FY 2010. No exceptions were found with the\nPOA&M tracking and vulnerability mitigation process. This was verified by review of the\nPOA&M documentation from the FY 2010 C&A process.\n\n\nSTATE FIELD OFFICE ASSESSMENTS\n\nState field office assessments were conducted on three state field offices and one AmeriCorps\nNational Civilian Community Corps (NCCC) campus, evaluating environmental controls,\nphysical controls, and PII protection. The following sites were reviewed: Detroit, MI;\nMinneapolis, MN; Sacramento, CA; and Los Angeles, CA. As part of our assessment strategy,\nworkspace and office suite areas were inspected for PII exposure.\n\nCONCLUSIONS\n\nThe field office findings included instances of PII information exposure, PII hardcopy violations,\ndrive storage violations, physical access violations, and infrastructure physical protection issues.\n\n\nRECOMMENDATION\n\nWe recommend that the existing Corporation policy for protecting and handling of PII be\nreferenced and enforced. All forms of PII (paper and electronic) must be stored in designated\nfile cabinets. Recycling bins used to store PII before it can be properly destroyed must be\nsecured to prevent unauthorized access.\n\n\n\n\n                                                  4                                      November 10, 2011\n\x0cFINAL                                                                          Independent Evaluation Report\n                                     Corporation for National and Community Service FISMA Review for FY 2011\n\n\n\nAPPENDIX A \xe2\x80\x93 DETAILED FINDINGS AND RECOMMENDATION\n\nFindings and Recommendations\n\nNotification of Finding # 1: The ESPAN annual assessment test plan and test documentation\nis insufficient because it does not provide procedures for testing controls, the dates when the\ncontrols are tested, or links to the source documentation to show evidence of the testing.\n\n\nRecommendation(s)\n\n        We recommend that CNCS conduct annual assessments in a more structured, planned\n        process that provides detailed information regarding test dates, explanation of testing\n        procedures, and links from the controls to the source documents.\n\n\nNotification of Finding # 2: There are no agreements defining the level of service for the HP\nhelp desk\xe2\x80\x99s fax location or documentation stating that the fax location is in compliance with\nCNCS security requirements. The Certification and Accreditation documentation lists four areas\nwithin the HP boundary: Chicago, IL; Santa Clara, CA; London, KY; and Orlando, FL. The\nMontgomery, AL, facility is not included within the C&A boundary.\n\n\nRecommendation(s)\n\n        We recommend that CNCS require HP to develop an SLA or provide C&A\n        documentation for the fax location in Montgomery. We also recommend that the\n        Montgomery facility be included within the C&A boundary to ensure that the proper\n        security controls are in place to protect CNCS information.\n\n\nNotification of Finding # 3: There is no Service Level Agreement (SLA) or Certification and\nAccreditation documentation for the SRA help desk regarding its use of a third-party vendor,\nServiceNow (HP help desk\xe2\x80\x99s Fax location), to document and track help desk calls and requests\nfor the CNCS network and computing environment.\n\nRecommendation(s)\n\n        We recommend that SRA include the ServiceNow server as part of the CNCS network\n        boundary and require SRA to provide either a SLA or C&A documentation for it.\n\n\nNotification of Finding # 4: Personally Identifiable Information (PII) was found exposed in the\noffice suite of the Michigan State office. Documents were found containing names, Social\nSecurity Numbers (SSN), and addresses in a box in an open, unlocked supply room.\n\n\n\n\n                                                 5                                      November 10, 2011\n\x0cFINAL                                                                          Independent Evaluation Report\n                                     Corporation for National and Community Service FISMA Review for FY 2011\n\n\n\nRecommendation(s)\n\n        We recommend that CNCS require all office directors to conduct semiannual office walk-\n        throughs to detect instances of unsecured PII. If a violation is detected, PII documents\n        should be secured or disposed of in a secure manner. The results of the walk-through\n        should be reported to the Chief Information Security Officer or designee.\n\nNotification of Finding # 5: Our review of the CNCS Information Security Policies (CNCS ISP)\ndisclosed several references to a CNCS record retention policy. However, we were not provided\na copy of this policy and, therefore, could not validate its\xe2\x80\x99 existence.\n\n\nRecommendation(s)\n\n        We recommend that CNCS develop a record retention policy that speaks directly to the\n        procedures required by NARA and issue this policy to field office directors.\n\n\n\n\n                                                 6                                      November 10, 2011\n\x0cFINAL                                                                   Independent Evaluation Report\n                              Corporation for National and Community Service FISMA Review for FY 2011\n\n\n\nAPPENDIX B \xe2\x80\x93 CORPORATION MANAGEMENT RESPONSE\n\n\n\n\n                                          7                                      November 10, 2011\n\x0cNATIONAL&:\nCOMMUNITY\nSERVICE me\n      November 9, 2011\n\n\n      TO:            Robert J. Walters\n                     Assistant Inspector General Investigations\n\n      THRU:          Robert Velasco, II\n                     Acting Chief Executive Officer\n\n      FROM:          Philip Clark\n                     Chief Information Officer\n\n      Subject: Corporation Comments on OIG FISMA Review Report for Fiscal Year 2011\n\n      Thank you for the opportunity to comment on the OIG FISMA report for Fiscal Year\n      2011. As noted in the report, the Corporation has taken steps in FY 2011 to continue to\n      improve its information security program and compliance with FISMA. We\n      acknowledge that there is still work to do, and have a number of initiatives planned for\n      FY 2011 to further enhance the program.\n\n      Corporation Response\n      The Corporation has reviewed and concurred with three of the findings and\n      recommendations presented and did not concur with two of the findings in the report.\n      Indeed, the recommendations are in alignment with CNCS' Strategic Technology and\n      ongoing information assurance projects. Key accomplishments in FY 2011 include:\n\n         \xe2\x80\xa2    Continued updating of information assurance documentation to ensure\n              compliance with NIST and OMB privacy and system security guidance.\n         \xe2\x80\xa2    Completed vulnerability scanning of public-facing elements ofCNCS systems.\n         \xe2\x80\xa2    Hired a system security engineer and acquired scanning software to ensure that\n              new vulnerabilities are not introduced into CNCS systems.\n         \xe2\x80\xa2    Continuation of efforts to work with external system providers to the Corporation\n              to comply with FISMA requirements.\n\n      The Corporation will continue to review and refine our information security and privacy\n      programs in the upcoming fiscal year. If you have any questions about this response or\n      the planned activities, please contact the Corporation's ChiefInformation Security\n      Officer, Laurie Young at (202) 606-6662.\n\n\n\n                                         12:4 0)U.,,~\n                                           Philip W/Clark\n                                           Chief Information Officer\n\n\n\n                    Senior Corps   * AmeriCorps * Learn and Serve America\n    1201 New York Avenue, NW    * Washington, DC 20525 * 202-606-5000 * www.nationalservice.gov\n\x0c                             FY 2011 FISMA Independent Evaluation\n                    Corporation for National and Community Services (CNCS)\n                                            Finding 1\n\n\n\nFinding # 1: The ESPAN annual assessment test plan and test documentation is insufficient\nbecause it does not provide procedures for testing controls, the dates when the controls are\ntested, or links to the source documentation to show evidence of the testing.\n\n\nRecommendation(s)\n\n       We recommend that CNCS conduct annual assessments in a more structured, planned\n       process that provides detailed information regarding test dates, explanation of testing\n       procedures, and links from the controls to the source documents.\n\nManagement Response\n\n           Management concurs with the Notification of Finding.\n\n           Management does not concur with the Notification of Finding.\n\nThe Security and Testing Evaluation (ST&E) spreadsheet used by the Corporation has been\nfound acceptable in previous years by Financial Auditors and the FISMA Reviewers. The\nCorporation\xe2\x80\x99s testing control procedures (Assessment Method, Assessment Objects, and\nAssessment Tool columns fields from the CNCS ST&E spreadsheet) are from the\ncomprehensive set of assessment procedures as described in Appendix F of NIST SP800-53A,\nGuide for Assessing the Security Controls in Federal Information Systems. There has been no\nrecent change to NIST guidance in this area. CNCS sees no need to depart from what has\nbeen accepted practice.\n\nThe \xe2\x80\x9cProjected Review Date\xe2\x80\x9d on the spreadsheet reflects either the date that controls were\ntested (meeting the NIST requirement), or a future date when testing is expected. CNCS will\nchange the title of this column to \xe2\x80\x9cReview Date\xe2\x80\x9d to eliminate any confusion in the future.\n\nAll documentation supporting the test of each control is contained in a separate file folder for\neach control, meeting the NIST requirement to provide documentation for each control tested.\nLinks in the spreadsheet to the source documentation (Artifacts) is not a requirement by the\nNIST and is not a valid basis for a finding. However, to make this review easier for auditors,\nfuture assessments will link the artifacts to the corresponding control test on the spreadsheet.\n\n\nOIG Comments\n\nOIG concurs with OIT\xe2\x80\x99s statement regarding making changes to the Security and Testing\nEvaluation spreadsheet to avoid future confusion.\n\x0c                            FY 2011 FISMA Independent Evaluation\n                   Corporation for National and Community Services (CNCS)\n                                           Finding 2\n\n\n\nFinding # 2 There are no agreements defining the level of service for the HP help desk\xe2\x80\x99s fax\nlocation or documentation stating that the fax location is in compliance with CNCS security\nrequirements. The Certification and Accreditation documentation lists four areas within the HP\nboundary: Chicago, IL; Santa Clara, CA; London, KY; and Orlando, FL. The Montgomery, AL,\nfacility is not included within the C&A boundary.\n\n\nRecommendation(s)\n\n       We recommend that CNCS require HP to develop a SLA or provide C&A documentation\n       for the fax location in Montgomery. We also recommend that the Montgomery facility ld\n       be included within the C&A boundary to ensure that the proper security controls are in\n       place to protect CNCS information.\n\n\nManagement Response\n\n          Management concurs with the Notification of Finding.\n\n          Management does not concur with the Notification of Finding.\n\nThe Corporation agrees that National Service Hotline fax server that resides in London, KY was\nnot assessed during the certification. Various documents are faxed to the National Service\nHotline fax server that resides in London, KY. HP Help Desk employees receive, review, and\nupload via VPN these faxes to a secure share on a CNCS server on behalf of the Trust.\n\nRather than certify the London, KY fax server, the Corporation will remove the fax server in\nLondon, KY and establish a fax server at the CNCS headquarters. HP Help Desk employees\nwill continue to review the faxes, but through a VPN connection between HP and CNCS. The\nnew fax server and its associated controls will be assessed by the CNCS IA staff to ensure\ncompliance with Federal and agency security requirements. The HP Help Desk SSP will also\nbe updated to reflect this change.\n\nThe fax location at Montgomery, AL has not stored and will not store data, either as a\nproduction or backup facility, and is therefore not subject to certification.\n\n\nOIG Comments\n\nOIG concurs.\n\x0c                            FY 2011 FISMA Independent Evaluation\n                     Corporation for National & Community Services (CNCS)\n                                           Finding # 3\n\n\nFinding # 3: There is no Service Level Agreement (SLA) or Certification and Accreditation\ndocumentation for the SRA help desk regarding its use of a third-party vendor, ServiceNow, to\ndocument and track help desk calls and requests for the CNCS network and computing\nenvironment.\n\n\nRecommendation(s)\n\n       We recommend that SRA include the ServiceNow server as part of the CNCS network\n       boundary and require SRA to provide either a SLA or C&A documentation for it.\n\n       Management Response\n\n           Management concurs with the Notification of Finding.\n\n           Management does not concur with the Notification of Finding.\n\nCNCS nonconcurs with the recommendation to place the ServiceNow application within the\nCNCS network boundary. ServiceNow does not meet the criteria contained in guidance from\nthe National Institute of Standards and Technology (NIST) SP800-37, Guide for Applying the\nRisk Management Framework to Federal Information Systems, for determining what elements\nbelong within the network boundary.\n\nThe guidance provides that: \xe2\x80\x9cThe set of information resources allocated to an information\nsystem defines the boundary for that system. Organizations have significant flexibility in\ndetermining what constitutes an information system and its associated boundary. If a set of\ninformation resources is identified as an information system, the resources are generally under\nthe same direct management control\xe2\x80\xa6 In addition to consideration of direct management\ncontrol, it may also be helpful for organizations to determine if the information resources being\nidentified as an information system:\n        \xe2\x80\xa2 Support the same mission/business objectives or functions and essentially the same\n          operating characteristics and information security requirements; and\n        \xe2\x80\xa2 Reside in the same general operating environment (or in the case of a distributed\n          information system, reside in various locations with similar operating environments).\xe2\x80\x9d\n\nTherefore, CNCS has designated ServiceNow as an external information system service. As\nsuch, ServiceNow should have a SLA or a C&A. NIST also uses ServiceNow and is currently\nconducting a C&A of that application. CNCS has decided to accept the NIST C&A for CNCS\npurposes. CNCS has accepted the risk of operating ServiceNow pending the NIST C&A\ncompletion (Waiver fY11-013), as has NIST. To mitigate the risk of operating this application\nwhile certification is underway the CNCS Information Assurance team is coordinating access to\nperform monthly non-intrusive vulnerability scans against the ServiceNow servers.\n\x0c                           FY 2011 FISMA Independent Evaluation\n                    Corporation for National & Community Services (CNCS)\n                                          Finding # 3\n\n\nOIG Comments\n\nOIG concurs with OIT statements regarding the follow: 1) acceptance of NIST C&A for CNCS\npurposes; and 2) stated plan of action to mitigate the risk of operating the ServiceNow\napplication while certification is underway. OIG also concurs with OIT\xe2\x80\x99s statement regarding\nwhy ServiceNow should not be part of the CNCS boundary.\n\x0c                             FY 2011 FISMA Independent Evaluation\n                    Corporation for National and Community Services (CNCS)\n                                           Finding # 4\n\n\n\nFinding # 4: Personally Identifiable Information (PII) was found exposed in the office suite of\nthe Michigan State office. Documents were found containing names, Social Security Numbers\n(SSN), and addresses in a box in an open, unlocked supply room.\n\n\nRecommendation(s)\n\n       We recommend that CNCS require all office directors to conduct semiannual office walk-\n       throughs to detect instances of unsecured PII. If a violation is detected, PII documents\n       should be secured or disposed of in a secure manner. The results of the walk-through\n       shall be reported to the Chief Information Security Officer or designee.\n\nManagement Response\n\n           Management concurs with the Notification of Finding.\n\n           Management does not concur with the Notification of Finding.\n\nWe concur with the finding and will have all office directors conduct semiannual office\nwalkthroughs which will be reported to the CISO. The Michigan office has rectified the situation.\nThey have inventoried the room and ensured that it now contains only materials that are public\nand promotional in nature, and securely destroyed the document in question and the\nMichigan State Director review the PII security of the office space and report his findings to his\ndirect supervisor\xe2\x80\x94the North Central Cluster Area Manager\xe2\x80\x94once per quarter.\n\n\n\n\nOIG Comments\n\nOIG concurs.\n\x0c                           FY 2011 FISMA Independent Evaluation\n                    Corporation for National & Community Services (CNCS)\n                                           Finding 5\n\n\n\nFinding # 5: Our review of the CNCS Information Security Policies (CNCS ISP) disclosed\nseveral references to a CNCS record retention policy. However, we were not provided a copy of\nthis policy and, therefore, could not validate its\xe2\x80\x99 existence.\n\n\nRecommendation(s)\n\n       We recommend that CNCS develop a record retention policy that speaks directly to the\n       procedures required by NARA and issue this policy to field office directors.\n\nManagement Response\n\n          Management concurs with the Notification of Finding.\n\n          Management does not concur with the Notification of Finding.\n\nThe Corporation agrees with this finding and a record retention policy will be developed and\nissued to the field office directors.\n\n\n\n\nOIG Comments\n\nOIG concurs.\n\x0c"